VLAN Tag-Based QoS

The QoS—VLAN Tag-Based feature enables you to apply a single QoS policy, referred to as a VLAN-group policy, to a group of IEEE 802.1Q VLAN subinterfaces.

In releases prior to Cisco IOS Release 12.2(31)SB2, you can apply a QoS policy to an interface or a specific subinterface. When applied on the main interface, all of the VLAN subinterfaces configured on the interface inherit the QoS policy of the main interface. When applied to a specific subinterface, each subinterface has its own QoS policy.

In some instances, however, service providers might configure customers in such a way that a single QoS policy is needed for multiple VLAN subinterfaces, but not for all of the subinterfaces configured on the main interface. The QoS—VLAN Tag-Based feature addresses this need by allowing multiple subinterfaces to be treated as an aggregated whole, binding all of the matching subinterfaces together under a single QoS policy.

The configuration of the QoS—VLAN Tag-Based feature entails the creation of VLAN-group classes and the creation of a VLAN-group policy map. Class maps define the groups of VLAN subinterfaces and enable the router to classify multiple VLANs as belonging to the same traffic class: a VLAN-group class. The QoS VLAN-group policy map defines the QoS services for specific VLAN groups and for subinterfaces that do not belong to a specific VLAN group.

You apply the VLAN-group policy to the main interface and if a VLAN subinterface matches one of the VLAN-group classes defined in the VLAN-group policy, the VLAN subinterface and all of the sessions established on that subinterface inherit the QoS services defined for that particular VLAN-group class. If more than one VLAN subinterface matches one of the VLAN-group classes, then the router treats all of the matching VLAN subinterface traffic as an aggregated whole and applies the single VLAN-group policy to the traffic—in particular that portion of the VLAN-group policy that defines QoS services for that specific VLAN-group class.

For hierarchical QoS policies, the router applies the parent shape rate to each group of VLANs. At most, a single VLAN can have a throughput equal to the parent shape rate. If all of the VLANs within the VLAN group are active, the aggregate traffic of all active VLAN-group members is limited to the shape rate.

In an 802.1Q VLAN implementation, the router passes a packet to the dot1q-encapsulated subinterface only if the VLAN ID of the packet matches the VLAN ID configured for the subinterface. Otherwise, the router passes the packet to the main interface. Therefore, you must create a subinterface with a specific VLAN ID before the router can apply QoS on a VLAN ID that is configured as part of a VLAN group.

Feature History for VLAN Tag-Based QoS

Cisco IOS Release

Description

Required PRE

Release 12.2(31)SB22

This feature was introduced and implemented on the Cisco 10000 series router for the PRE2 and PRE3.

PRE2PRE3

VLAN-Groups

A VLAN-group is a traffic class that potentially consists of multiple IEEE 802.1Q VLAN subinterfaces. A class map defines the VLAN group and the match criteria the router uses to classify the traffic as belonging to a specific VLAN group. All of the subinterfaces belonging to a VLAN group share the bandwidth allocated to the group and share the same class queue.

The match vlan command allows you to specify the VLANs you want to include in a VLAN group. The configuration of a VLAN group can include individual VLAN ID values or a range of values. For example, VLANs with IDs 3, 5-8, and 10 can form a VLAN group. The router treats the VLANs specified in a VLAN group as an aggregate whole.

Note If you specify the match vlan command in a class map, you cannot specify other match commands in the same class map. Use the match vlan command only for VLAN grouping.

Only Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces support VLAN groups. For outbound VLAN tag-based policies, use a shape command for each VLAN group.

VLAN-Group Policy Map

A VLAN-group policy map defines QoS services for traffic classes that consists of multiple IEEE 802.1Q VLAN subinterfaces (see the "VLAN-Groups" section). In this way, you can apply a single QoS policy to multiple VLANs belonging to specific VLAN-group classes.

You can attach a VLAN-group policy map to only the main interface. The subinterfaces on the main interface inherit the service policy.

The amount of policy space used is equivalent to the number of VLAN groups defined in the policy, including the VLAN groups defined in match-VLAN class maps and in the class-default class. The limit of available policy space is equivalent to 4096 policy maps.

Modification of a VLAN-Group Policy Map

Adding or removing VLAN-group classes from a VLAN-group policy only affects QoS on the subinterfaces that you added or removed from the policy. Adding or removing class-default classes affects QoS only on the subinterfaces that do not belong to any VLAN group.

Modifying a child policy that is applied to a VLAN-group class in a VLAN-group policy affects QoS on all of the subinterfaces that belong to that VLAN group. Modifying a child policy applied to a class-default class affects QoS on all of the subinterfaces that do not belong to any VLAN group.

VLAN ID

The VLAN ID is a number you specify to identify a VLAN subinterface. The router uses the VLAN ID of packets to classify them as belonging to specific VLAN groups. Valid VLAN ID values are from 1 to 4094.

VLAN-Group Policies and Inheritance

For non-VLAN-group QoS policies, the PRE3 supports the configuration of shaping only at the subinterface level and a hierarchical queuing policy at the virtual template level. In this case, the PPP session traffic uniquely inherits the policy on the virtual template and the aggregate of all of the PPP session traffic is also shaped by the subinterface policy.

All subinterfaces that are not part of a VLAN group and that do not have a service policy attached inherit the policy applied on the class-default class of a VLAN-group policy.

For sessions terminated on a subinterface that is part of a VLAN-group policy, the following occurs:

•If the virtual template applied to the subinterface does not have a QoS policy (non-VLAN-group), the virtual access interface (VAI) that is created when PPP session creation occurs does not uniquely inherit the policy inherited by the subinterface. For example, suppose a subinterface policy shapes traffic to 2 Mbps and two PPPoE sessions initiate. The total traffic from both of the PPPoE sessions is aggregately shaped to 2 Mbps. Each PPP session traffic is not shaped uniquely to 2 Mbps.

•If the virtual template applied to the subinterface has a QoS policy (for example, a non-queuing policy that specifies policing and marking for the PRE2 or all QoS actions for the PRE3), each PPP session traffic is uniquely influenced by the policy defined at the virtual template. For example, suppose a hierarchical QoS policy is configured to police traffic to 2 Mbps. Each PPPoE session traffic is uniquely policed to 2 Mbps. The policy on the subinterface has no affect.

Aggregate Session Traffic

You cannot shape the aggregate session traffic by applying a shaping policy to a VLAN group. Instead, when applying queuing policies to sessions, shape the aggregate session traffic by applying a shaping policy to an 802.1Q VLAN or QinQ subinterface. For more information, see the QoS: Hierarchical Queuing for Ethernet DSLAMs feature module for Cisco IOS Release 12.2(31)SB2.

2Includes the class maps configured for child policies applied to each match-VLAN class and includes the class-default class of the VLAN-group policy.

Statistical Information for VLAN-Group Policies and Classes

The router displays packet statistics for VLAN-group policies using the modular QoS command-line interface (MQC) show commands. Statistical information displayed for VLAN groups represents the aggregate traffic of all of the subinterface members of the specific VLAN group.

The router updates match-VLAN filter statistics only for the aggregate traffic through the VLAN groups.

VLAN Tag-Based QoS on the PRE2 and PRE3

Table 21-2 describes support for various features on the PRE2 and PRE3 when configured with the QoS—VLAN Tag-Based feature.

Table 21-2 VLAN Tag-Based QoS on the PRE2 and PRE3

Feature

PRE2

PRE3

Aggregate priority queues

Not supported

Supported.

Aggregate priority queues should be well within 90% of the maximum rate to guarantee performance.

Aggregate WRED

Not supported

Supported

Allows a maximum of 8 profiles per class and a total of 21 profiles in a policy.

Bandwidth remaining ratio

Not supported

Supported at the parent level of VLAN QoS policies.

VLAN-group policies

Supports simultaneous VLAN-group policy and subinterface policies that are not part of the VLAN-group policy.

Does not support both VLAN-group policies and subinterface policies on the same link simultaneously.

Multiple levels of priority queues

Not supported

Supported

Provides for 2 levels of priority queues.

Strict priority queues

Supported

Supports a strict priority queue without a policer. However, we recommend that you use policers with the priority queue to avoid bandwidth starvation of other class queues.

No supported

Restrictions for VLAN Tag-Based QoS

•When configuring a VLAN tag-based QoS policy map, the router applies the policy to one Ethernet port and only to the VLANs on that particular port.

•Currently, the match vlan command is used only to group VLAN subinterfaces. Do not use the command for any other purpose.

•The match vlan counters update only for one-level QoS policies; they do not update for hierarchical QoS policies.

•The router does not support applying a VLAN-group policy to a virtual template.

•The router does not support the random-detect and priority commands for traffic classes created using the match-vlan command in class maps.

•When creating a class map with the match vlan command, configure the match-any command as the match type.

•You cannot specify traffic classes created using the match-vlan command in the following policies:

–Child policies

–Policies attached to an interface other than a Fast Ethernet or Gigabit Ethernet interface

–Policies in which a non-VLAN-based traffic class exists. (This does not include the class-default class.)

•VLAN group members across the VLAN groups in a VLAN-group policy are mutually exclusive.

•Do not use VLAN ID 1 in a VLAN group unless you create a subinterface with VLAN ID 1.

•For the PRE2, if a policy map specifies a particular VLAN ID, you cannot apply any service policy map to subinterfaces that have that particular VLAN ID (or dot1q ID). However, on the PRE3, you cannot apply policies to the main interface and to subinterfaces, even if the subinterface does not have a matching VLAN-group ID.

•You can apply a VLAN-group policy map only to the main interface; you cannot apply it to subinterfaces.

•You cannot add VLAN-group traffic classes to a policy that already has QoS services defined for traffic classes, even if the class configuration is only the class-default class.

•In a class map, you can specify only the match vlan command as the classification criteria if QoS services are defined for the corresponding traffic class in the parent policy (top-level in a three-level policy) of a hierarchical policy.

•In a class map, you cannot specify the match-vlan command as the classification criteria if QoS services are defined for the corresponding traffic class in a child policy of a hierarchical policy.

•You can apply a child policy to any traffic class in a VLAN-group policy map. The child policy is not restricted to being applied only to the class-default class.

•In a VLAN-group policy map, if you apply a child service policy to a traffic class of an input parent policy, you must configure a non-queuing action such as policing before you apply the child policy. You cannot configure any queuing actions for the parent class, such as shaping, priority, or class-based weighted fair queuing (CBWFQ).

For example, consider the following sample configuration:

policy-map Input_Parent

class vlangrp1

police percent 10

service-policy Child1

class vlangrp2

police percent 30

class vlangrp3

shape 512000

service-policy Child2

class vlangrp4

police 8000

service-policy Child3

–The class vlangrp1 is a valid configuration for input traffic because it has a non-queuing action (policing) defined before the Child1 service policy is applied.

–The class vlangrp2 is a valid configuration because non-queuing actions are permitted for input policies.

–The class vlangrp3 is an invalid configuration for this input parent policy because it contains a queuing action (shape).

Note If this was an output parent policy, the class vlangrp3 would be a valid configuration because queuing actions such as shape are permitted for output policies.

–The class vlangrp4 is a valid configuration for an input parent policy because it contains a non-queuing action (police) before applying the child service policy.

•For an output parent policy, the PRE2 allows you to configure only the shape command on the parent class. The PRE3 allows you to configure the shape command and the bandwidth remaining ratio command on the parent class. The bandwidth remaining ratio command allows you to define a proportionate share of the bandwidth for allocation to VLAN groups during periods of congestion.

•You can configure the shape command and service-policy command for a traffic class of an output parent policy.

For example, the following sample configuration shows how to configure an output parent policy:

policy-map Egress_Parent

class vgrp1

shape 128000

service-policy Child3

class vgrp2

shape 512000

service-policy Child2

class class-default

shape 2000000

service-policy Child1

For the input direction, if you apply a QoS policy to a match-vlan traffic class, you must configure a police action.

•If you attach a VLAN-group policy in the outbound direction, configure a shaper for each VLAN group so that the group has its own VTMS link. Otherwise, the traffic for that VLAN group uses the VTMS link and queues of the main interface.

•For VLAN-based classes with multiple VLAN match filters defined, traffic accounting is updated as an aggregate under the first match-VLAN filter for the class in the policy. The router does not maintain individual match-VLAN filter statistics.

•You cannot delete a match-VLAN filter from a class map if only a single filter is configured in the class map. You can modify the class map filters either by deleting the class from the policy or adding the required VLAN filters to the class before deleting all of the VLAN filters from the class map.

•Although the router supports QinQ subinterfaces, the VLAN Tag-Based feature does not support QinQ subinterfaces under a VLAN group. You can use only 802.1Q subinterfaces for VLAN groups. These subinterfaces have a single inner VLAN ID.

Configuring VLAN Tag-Based QoS

To configure VLAN tag-based QoS, perform the following configuration tasks:

Configuration Guidelines for VLAN Tag-Based QoS

•Configure the match-vlan command as the only filtering criteria for a class map.

If you attempt to apply a policy map that includes a traffic class for which the match-vlan command and other match commands are configured, the attempt fails and an error message displays.

•Configure the match-any command with the match-vlan command.

A class map configured for classification of VLAN-group traffic must match any of the specified VLAN criteria. If you do not specify the match-any command as part of the class map match-vlan criteria and you attempt to specify that class in a policy map, the attempt fails and an error message displays.

•Configure VLAN-group traffic classes (created using the match-vlan command in a class map) only in the parent class of hierarchical policy maps. For example, in a three-level hierarchical policy, the parent class is the topmost level of the policy.

If you attempt to configure a VLAN-group traffic class in a child policy, the attempt fails and an error message displays.

•Do not attach a policy map to an 802.1Q VLAN subinterface with a VLAN ID if the subinterface is part of a VLAN-group with a defined policy.

If an 802.1Q VLAN subinterface has a VLAN ID that is specified as part of a VLAN-group and a VLAN-group policy is attached to an interface, if you attempt to attach a QoS policy to the subinterface participating in the VLAN group, the attempt fails and an error message displays.

•Attach child policies under any class defined in a VLAN-group policy.

For a VLAN-group policy, you are not required to only attach child policies under the class-default class of a parent policy. You may apply child policies to the class-default class of another child policy, the class-default class of a parent policy, or to other classes defined in parent and child policies.

Note This applies only to VLAN-group policies. For other QoS policies, you must apply child policies only to the class-default class of a parent policy.

•Do not configure any other QoS actions for a parent class if you apply a child policy to that class.

For a VLAN-group policy, if a class of a parent policy map specifies the service-policy command, do not configure any other QoS actions for that class.

•Configure only the shape command in outbound parent classes of a VLAN-group policy if a child policy is applied to that class.

Configuring VLAN-Group Class Maps

To configure a VLAN-group class map, which creates a VLAN-group traffic class, enter the following commands beginning in global configuration mode:

(Optional) match-any indicates that if the VLAN ID of a packet matches any of the specified VLAN IDs, classify the packet as belonging to the traffic class.

Note The router does not support the match-all keyword for VLAN-based classification.

class-map-name is the name of the class map. You can specify the class-default class as the class map name to configure a traffic class to which the router assigns all of the traffic that does not match another configured class.

Step 2

Router(config-cmap)# match vlanvlanid

Configures VLANs as the criteria the router uses to match packets to the traffic class.

vlanid is a VLAN identification number(s) or a range of numbers. Valid values are from 1 to 4095.

Examples

The following example configuration creates a VLAN group named customer1 with VLANs 2, 3, 4, 5, and 7 as members of the group:

Router> enable

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# class-map match-any customer1

Router(config-cmap)# match vlan 2 3-5 7

Router(config-cmap)# exit

Configuring a VLAN-Group Policy

Use the following configuration tasks to configure a VLAN-group policy:

vgrp-cmap-name is the name of a previously configured match-vlan class map.

Step 3

Router(config-pmap-c)# service-policypolicy-map-name

Applies the policy map you specify to the inbound VLAN-group traffic class.

policy-map-name is the name of the policy map that you want to apply to the traffic class.

Step 4

Router(config-pmap-c)# class class-default

Configures the class-default class for inbound traffic.

Note The router uses the class-default class to apply QoS services to all of the traffic that does not belong to any other VLAN-group traffic class.

Step 5

Router(config-pmap-c)# service-policypolicy-map-name

Applies the policy map you specify to the inbound default traffic class.

policy-map-name is the name of the policy map that you want to apply to the default traffic class.

Example

The following example configuration shows how to configure a VLAN-group policy for inbound traffic. In the example, QoS policies are created for VLAN traffic (policy1 and policy2) and for default traffic (policy5). The policy map named input applies QoS services to VLAN groups and to the class-default class for all of the inbound traffic that does not belong to the VLAN groups classes.

class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions. For a VLAN-group policy, specify the name of a VLAN group traffic class.

Step 3

Router(config-pmap-c)# shape [average]mean-rate

Shapes traffic to the indicated bit rate.

(Optional) average indicates that the Committed Burst (Bc) is the maximum number of bits sent out in each interval.

(Optional) mean-rate is also called committed information rate (CIR). Indicates the bit rate used to shape the traffic, in bits per second. When this command is used with backward explicit congestion notification (BECN) approximation, the bit rate is the upper bound of the range of bit rates that will be permitted.

Step 4

Router(config-pmap-c)# service-policypolicy-map-name

(Optional) Applies the policy map you specify to the outbound traffic class.

policy-map-name is the name of the policy map that you want to apply to the traffic class.

Step 5

Router(config-pmap-c)# class class-default

Configures the class-default class for outbound traffic.

The router uses the class-default class to apply QoS services to all of the traffic that does not belong to any other traffic class.

Step 6

Router(config-pmap-c)# shape [average]mean-rate

Shapes the default traffic to the indicated bit rate.

(Optional) average indicates that the Committed Burst (Bc) is the maximum number of bits sent out in each interval.

(Optional) mean-rate is also called committed information rate (CIR). Indicates the bit rate used to shape the traffic, in bits per second. When this command is used with backward explicit congestion notification (BECN) approximation, the bit rate is the upper bound of the range of bit rates that will be permitted.

Step 7

Router(config-pmap-c)# service-policypolicy-map-name

Applies the policy map you specify to the outbound default traffic class.

policy-map-name is the name of the policy map that you want to apply to the default traffic class.

Example

The following example configuration shows how to configure a QoS policy for outbound VLAN-group traffic. In the example, QoS policies are created for VLAN traffic (policy1 through policy4) and for default traffic (policy5). The policy map named output applies QoS services to VLAN groups and to the class-default class for all of the traffic that does not belong to the VLAN groups classes.

Router(config)# policy-map policy1

Router(config-pmap-c)# class vgrp1

Router(config-pmap-c)# set cos 2

Router(config-pmap)# class vgrp2

Router(config-pmap-c)# police percent 20

!

Router(config)# policy-map policy2

Router(config-pmap)# class vgrp2

Router(config-pmap-c)# police 512000

Router(config-pmap-c)# class vgrp1

Router(config-pmap-c)# police 64000

!

Router(config)# policy-map policy3

Router(config-pmap)# class vgrp2

Router(config-pmap-c)# bandwidth 64000

Router(config-pmap-c)# police percent 20

Router(config-pmap-c)# class vgrp1

Router(config-pmap-c)# random-detect dscp 6

!

Router(config)# policy-map policy4

Router(config-pmap)# class vgrp2

Router(config-pmap-c)# bandwidth 128000

Router(config-pmap-c)# police percent 10

Router(config-pmap-c)# class vgrp1

Router(config-pmap-c)# bandwidth 64000

Router(config-pmap-c)# random-detect dscp 3

!

Router(config)# policy-map policy5

Router(config-pmap)# class class-default

Router(config-pmap-c)# police 32000

!

Router(config)# policy-map output-policy

Router(config-pmap)# class vgrp-customer1

Router(config-pmap-c)# shape 2000000

Router(config-pmap-c)# service-policy policy3

Router(config-pmap-c)# class vgrp-customer2

Router(config-pmap-c)# shape 512000

Router(config-pmap-c)# service-policy policy4

Router(config-pmap-c)# class class-default

Router(config-pmap-c)# shape 128000

Router(config-pmap-c)# service-policy policy5

Attaching VLAN Tag-based Policies

You must attach a VLAN tag-based policy to a main interface. The router does not support a VLAN tag-based policy on a subinterface.

To attach a VLAN tag-based policy to an interface, enter the following commands beginning in global configuration mode:

type is the interface type, which must be Ethernet, Fast Ethernet, or Gigabit Ethernet.

slot/module/port.subinterface is the number of the subinterface that identifies the subinterface (for example, 1/0/0.1).

(Optional) point-to-point indicates that the subinterface is a point-to-point subinterface.

(Optional) multipoint indicates that the subinterface is a point-to-multipoint subinterface.

Step 9

Router(config-if)# encapsulation dot1qvlan-id

Enables IEEE 802.1Q encapsulation of traffic on the specified subinterface in a virtual LAN (VLAN

vlan-id is the virtual LAN identifier. The allowed range is from 1 to 4095. For the IEEE 802.1Q-in-Q VLAN Tag Termination feature, the first instance of this argument defines the outer VLAN ID, and the second and subsequent instances define the inner VLAN ID.

Step 10

Router(config-if)# service-policy [input | output]policy-map-name

Applies the policy map you specify to the interface.

input indicates to apply the policy to inbound traffic.

output indicates to apply the policy to outbound traffic.

policy-map-name is the name of the policy map that you want to apply to the traffic class.

Example

The following example configuration shows how to attach a VLAN tag-based policy named policy1 to the Gigabit Ethernet main interface 1/0/0 for outbound traffic.

Configuration Examples for VLAN Tag-Based QoS

Configuring a VLAN Tag-Based QoS Policy: Example

The following configuration example shows how to configure a VLAN tag-based QoS policy using the PRE3 hierarchical queuing framework. In the example, the policy map named service1 defines QoS services for two VLAN traffic classes: vlans_5_to_10 and vlans_11_to_14. The child-policy1 defines QoS services for voice, video, data, and default traffic, and is applied to both of the VLAN classes in service1.

The following configuration example shows an invalid configuration in which the subinterface-shaper policy is attached to the Gigabit Ethernet subinterface 1/1/1.5 and the vlangroup-shapers policy is attached to the main interface, Gigabit Ethernet interface 1/1/1. In this example, the traffic classes defined in the subinterface-shaper policy match the VLAN-group classes in the vlangroup-shapers policy. As a result, this configuration is invalid because the router does not support the attachment of a QoS policy on a subinterface that matches any of the VLAN-group traffic classes in a policy attached to the main interface.

–The class vlangrp1 is a valid configuration for input traffic because it has a non-queuing action (policing) defined before the Child1 service policy is applied.

–The class vlangrp2 is a valid configuration because non-queuing actions are permitted for input policies.

–The class vlangrp3 is an invalid configuration for this input parent policy because it contains a queuing action (shape).

Note If this was an output parent policy, the class vlangrp3 would be a valid configuration because queuing actions such as shape are permitted for output policies.

–The class vlangrp4 is a valid configuration for an input parent policy because it contains a non-queuing action (police) before applying the child service policy.

•For an output parent policy, the PRE2 allows you to configure only the shape command on the parent class. The PRE3 allows you to configure the shape command and the bandwidth remaining ratio command on the parent class. The bandwidth remaining ratio command allows you to define a proportionate share of the bandwidth for allocation to VLAN groups during periods of congestion.

For example, the following sample configuration shows how to configure an output parent policy:

policy-map Egress_Parent

class vgrp1

shape 128000

service-policy Child3

class vgrp2

shape 512000

service-policy Child2

class class-default

shape 2000000

service-policy Child1

•For input policies, if you apply a child QoS policy to a VLAN-group traffic class (created using the match-vlan command in a class map), you must first configure a policing action. The router supports non-queuing actions (policing) for input policies, and both queuing (shaping) and non-queuing (policing) actions for output policies.

•If you attach a VLAN-group policy in the outbound direction, configure a shaper for each VLAN group so that the group has its own VTMS link. Otherwise, the traffic for that VLAN group uses the VTMS link and queues of the main interface.

•For VLAN-based classes with multiple VLAN match filters defined, traffic accounting is updated as an aggregate under the first match-VLAN filter for the class in the policy. The router does not maintain individual match-VLAN filter statistics.